In the first group litigation of its kind in the UK, the High Court has ruled that supermarket chain Morrisons is vicariously liable for a serious data breach, which saw the personal and banking details of almost 100,000 staff being made publicly available by a disgruntled employee. 5,500 of the affected employees brought a group claim for compensation and the High Court ruled that Morrisons is vicariously liable for the data breach and that the affected staff should in principle receive compensation for it.

The data breach in question arose from the actions of a disgruntled employee, S, who secretly and maliciously copied the supermarket’s payroll information and released it to both the press and on a public file sharing website. S was later convicted of computer misuse and data protection offences and sentenced to eight years imprisonment. Upon being notified of the breach by the press, Morrisons immediately took action to minimise the impact of the breach on the affected employees.

The High Court rejected the employees’ claim that Morrisons was directly liable; it had no reason not to trust S and it had taken steps to prevent data breaches. However, despite this, Morrisons was held to be vicariously liable for the malicious data breach by S, because he was acting ‘in the course of employment’ (in the extended sense).

Morrisons has been granted permission to appeal the finding of vicarious liability to the Court of Appeal, so the case may very well rumble on for some time yet. Meanwhile, it paves the way for similar claims to be brought in the future by employees who are affected by similar data breaches.

The decision has all the more significance because of the forthcoming GDPR regime (which comes into force on 25 May 2018). Under GDPR, data breaches of this nature must mandatorily be reported within 72 hours to both the information commissioner and the affected individuals, and maximum fines of up to 4% of global turnover (or 20 million euros) can be imposed.

This means that understanding data protection and getting your data security right has never been so important. We have extensive experience of advising employers on data protection issues and providing in-house training so that staff are trained to prevent and respond to data breaches.